Symantec Data Loss Prevention 12: Administration Labs and Appendices 100-002799-C CONFIDENTIAL - NOT FOR DISTRIBUTION
Symantec Data Loss Prevention 12:
Administration Labs and Appendices
100-002799-C
CONFIDENTIAL - NOT FOR DISTRIBUTION
2COURSE DEVELOPEROscar PnesGaurav Srivastava
LEAD SUBJECT MATTER EXPERTS
Jennifer CarlsonShawn ChenFjon KleinKenneth LiuJoann PavlovcakMichael PlavinDinesh RajwaniSteve RudmanSumit SarinWade WaltersBen Yang
TECHNICAL CONTRIBUTORS AND REVIEWERS
Kunal BijurLani ChanTory GilbertRobert GutchoCharles McLendonPauline PickleSteve RandallErnest Simmons
Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and VERITAS are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.THIS PUBLICATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION. THE INFORMATION CONTAINED HEREIN IS SUBJECT TO CHANGE WITHOUT NOTICE.No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.Symantec Data Loss Prevention 12: AdministrationSymantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 United Stateshttp://www.symantec.com
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
3 Table of Contents iiiCopyright 2013 Symantec Corporation. All rights reserved.
Appendix A: LabsLab 2: Navigation and reporting .................................................................. A-1Lab 3: Incident Remediation and Workflow................................................. A-5Lab 4: Policy Management......................................................................... A-23Lab 5: Response Rule Management.......................................................... A-29Lab 6: Described Content Matching ........................................................... A-33Lab 7: Exact Data Matching and Directory Group Matching ...................... A-41Lab 8: Indexed Document Matching........................................................... A-49Lab 9: Vector Machine Learning ................................................................ A-59Lab 10: Network Monitor Review ............................................................... A-61Lab 11: Network Prevent............................................................................ A-67Lab 13: Network Discover and Network Protect......................................... A-73Lab 14: Endpoint Prevent........................................................................... A-87Lab 15: Endpoint Discover ......................................................................... A-95Lab 17: System Administration................................................................. A-101
Appendix B: Lab SolutionsLab 2: Navigation and reporting .................................................................. B-1Lab 3: Incident Remediation and Workflow................................................. B-9Lab 4: Policy Management......................................................................... B-45Lab 5: Response Rule Management.......................................................... B-57Lab 6: Described Content Matching ........................................................... B-65Lab 7: Exact Data Matching and Directory Group Matching ...................... B-77Lab 8: Indexed Document Matching........................................................... B-91Lab 9: Vector Machine Learning .............................................................. B-105Lab 10: Network Monitor Review ............................................................. B-109Lab 11: Network Prevent.......................................................................... B-123Lab 13: Network Discover and Network Protect....................................... B-137Lab 14: Endpoint Prevent......................................................................... B-163Lab 15: Endpoint Discover ....................................................................... B-181Lab 17: System Administration................................................................. B-191
Appendix C: Complementary Symantec ProductsComplementary Symantec Products: Overview.......................................... C-3Data Insight Integration and Reporting........................................................ C-4Data Classification for Enterprise Vault ...................................................... C-30
Appendix D: Network Monitor Advanced Details
Appendix E: Endpoint Agent Events
Appendix F: Services and Directory Structure
Appendix G: Obtaining Technical Support from Symantec
Table of ContentsC
opyr
ight
2
013
Sym
ante
c C
orpo
ratio
n. A
ll rig
hts
rese
rved
.
CONFIDENTIAL - NOT FOR DISTRIBUTION
4 iv Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Using self-help resources ............................................................................ G-2Obtaining customer support......................................................................... G-7
Symantec Acronym Glossary
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
5Appendix A
Labs
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
6 A2 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
7 Lab 2: Navigation and reporting A1Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 2: Navigation and reportingIn this lab, you perform tasks that reinforce the concepts presented in the lesson.
Two parallel versions of the labs enable you to select the level of detail that suits your experience: Appendix A provides step-by-step lab instructions. Appendix B provides complete lab instructions and solutions.
ObjectivesThe purpose of this lab is to familiarize yourself with the navigation of the Symantec Data Loss Prevention User Interface. You also learn to create, schedule, and distribute Symantec Data Loss Prevention reports and lastly, create a custom attribute.
Note: The following symbol represents the VM image you need to access in order to continue with the upcoming lab steps. In this example, the prompt is indicating the Enforce system. Administrator and Training1 refer to the Windows username and password for the system in this image. Because automatic logon is used, this information is not required unless you manually log out of Windows.
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
8 A2 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
In this exercise you practice viewing your profile and examining online Help.
1 Verify that the following systems are online:
Enforce Endpoint Client
2 Double-click Symantec Enforce Server shortcut on the desktop and login as Administrator.
3 View your profile.
4 Open online Help and work through its options.
Use the Contents tab to find information on Role-Based Access in Managing Roles and Users.
Use the Search tab to find information on Alerts. Use the Index tab to find information on Described Content Matching
(DCM) and Response Rules - Configuring Actions. Navigate to Incidents > Network for context-sensitive help.
5 How many main topics are listed under the Contents tab? Name five (5).
6 Use the Index tab and answer the following question: What is the definition for trial mode for a Network Prevent Server?
Exercise 1: Exploring the UI controls
Enforce: Administrator:Training1
User name Administrator
Password protect4
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
9 Lab 2: Navigation and reporting A3Copyright 2013 Symantec Corporation. All rights reserved.
A
Symantec Data Loss Prevention offers main drop-down directories and subdirectories, and easily accessible configuration of the system. In this exercise, you familiarize yourself with the location of items you use in upcoming labs.
1 Use the System tab to view its subdirectories and look at the Overview and Server Detail pages.
Review the System > Servers > Overview page. Review the Server Detail page for the Network Monitor server named
Monitor 1.
2 Use the Manage tab to view the following policies and response rules.
Customer Data (DCM) policy. Customer Data (DCM) policys response rules. Actions and Conditions for the Block e-mail and Send Notification to
Sender and ITSecurity response rule. Suspend all policies.
3 Use Incidents to view All Reports and an incident snapshot.
View Network > Incidents All. View the incident snapshot for Incident ID 00000127.
Note: View only. Do not make changes.
View the saved report Main Dashboard.
4 Log out of the Enforce console.
Exercise 2: Navigating the UIC
opyr
ight
2
013
Sym
ante
c C
orpo
ratio
n. A
ll rig
hts
rese
rved
.
CONFIDENTIAL - NOT FOR DISTRIBUTION
10 A4 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
1 Open a web browser and login as Administrator.
2 Add a new Custom Attribute to the Attribute Group Current Job Status.
Exercise 3: Creating a custom attribute
Enforce: Administrator:Training1
User name Administrator
Password protect4
Custom Attribute Name: Title
New Attribute Group Current Job Status
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
11 Lab 3: Incident Remediation and Workflow A5Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 3: Incident Remediation and WorkflowIn this lab, you learn to use Symantec Data Loss Prevention reports and workflow to effectively remediate incidents. You also learn to create roles, users, and attributes.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
12 A6 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME is ready to build their incident response team strategy. The ACME project team has reviewed the financial services solution pack and determined they require additional roles. ACME requires that the first line responders for all customer data have limited access to view the incident information to ensure that ACME safeguards employee privacy.
1 Add a new Status Attribute.
2 Edit an existing Status Group.
3 Add a new role.
Exercise 1: Create status attributes, roles, and users
Enforce: Administrator:Training1
Status Attribute Name: Resolved - HR
Status Group: Resolved
Member Status: ResolvedResolved - EducationResolved - HR
Role name: First Line Responder
View Permissions: Perform attribute lookupDelete incidents Export Web archive Incident ReportingIncident Update
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
13 Lab 3: Incident Remediation and Workflow A7Copyright 2013 Symantec Corporation. All rights reserved.
A
4 Add a second new role.
5 Add the firstlineresponder User.
Attribute Restrictions
Display: HistoryBodySenderOriginal MessageUsernameMachine NameFile Owner
Custom: Employee CodeLast NameRegionFirst NamePhoneSender Email
Incident Access Restrictions: Policy Group is any of Customer Data Group
Role name: First Line Manager
View Permissions: Perform attribute lookupDelete IncidentsExport Web ArchiveIncident Reporting Incident Update
Attribute Restrictions: None - Leave at default
Incident Access Restrictions: Remediate incidents for only the Customer Data Group when incident Status is Escalated or Requires Training
Policy Management: Author policies for the Customer Data Group.
Name: firstlineresponderPassword: responderEmail Address: [email protected]
Role: First Line Responder
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
14 A8 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
6 Add the firstlinemanager User.
7 Login as each new User: firstlineresponder and firstlinemanager. Notice the restrictions in the accounts.
8 Logout of the console.
Name: firstlinemanagerPassword: manager1Email Address: [email protected]
Role: First Line Manager
Name: firstlineresponderPassword: responderName: firstlinemanagerPassword: manager1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
15 Lab 3: Incident Remediation and Workflow A9Copyright 2013 Symantec Corporation. All rights reserved.
A
As a member of the ACME Information Security team, the CISO has requested that you develop several new reports that are shared with senior management. The following is the list of three new reports the CISO would like you to create, share, and schedule for distribution:
Business Unit Scorecard: This report summarizes all Network incidents by Business Unit and then by Policy.
Machine IP by Policy: This report summarizes all Endpoint incidents by Policy and then by Machine IP.
Highest Risk Endpoints: This report summarizes all New Data at Rest incidents where the Target = Endpoints, by Scanned Machine and then by Policy.
1 Open a browser and login as the ITSecurity user within the CISO role.
2 Create a new Network report: Business Unit Scorecard. Save, share, and distribute this report on a monthly schedule.
Report Name: Business Unit Scorecard Description: Summarize Network Incidents sorted by Business Unit and
then by Policy. Summarized by:
Share Report
Exercise 2: Reporting creation and distribution
Enforce: Administrator:Training1
User name CISO\ITSecurity
Password protect4
Primary: Business Unit
Secondary: Policy
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
16 A10 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Delivery Schedule
3 Revise the Business Unit Scorecard report to show all incidents where the Status = Open.
Note: Now that you have revised the Business Unit Scorecard report, you have three options as follows: (1) Save the report with the new filters by selecting Save > Save, (2) Save the report as a new report name by selecting Save > Save As or (3) leave the report name and filters as is and just review the new results. In this lab, select option 3 because you are not required to save these revisions.
4 Create a new Endpoint report: Machine IP by Policy. Save and Share this report.
Report Name: Machine IP by Policy Description: Summarize Endpoint Incidents sorted by Policy and then
Machine IP. Summarized by:
Share Report.
5 Create a new Discover report: Highest Risk Endpoints. Save and share the report.
Report Name: Highest Risk Endpoints Description: Lists the Endpoints with the most incidents found by Endpoint
Discover. Filtered by: Target ID:Endpoints Detection Date: All Dates
Schedule: Send Monthly On
At: 9:00 AM
Send To: [email protected], [email protected]
Primary: Policy
Secondary: Machine IP (Corporate)
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
17 Lab 3: Incident Remediation and Workflow A11Copyright 2013 Symantec Corporation. All rights reserved.
A
Summarized by:
Share Report.
Primary: Scanned Machine
Secondary: Policy
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
18 A12 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
The CISO has requested that you develop a new dashboard named: Enterprise Dashboard. This allows the CISO to quickly assess the organizations risk across all the coverage areas: Network, Endpoint, and Storage (Discover). The following is the list of six reports the CISO wants you to add in the new dashboard:
Network: Network Incidents-All Network: Business Unit Scorecard Endpoint: Endpoint Incidents-All Endpoint: Machine IP by Policy Discover: Target Summary Discover: Highest Risk Endpoints
1 Create a new Shared Dashboard.
Dashboard Name: Enterprise Dashboard. Description: Dashboard showing all coverage points in the Enterprise:
Network, Endpoint, and Discover. Left Column (Chart Only):
Right Column (Chart and Table).
Exercise 3: Creating a new dashboard
Network Incidents All
Endpoint Incidents All
Discover Target Summary
Business Unit Scorecard
Machine IP by Policy
Highest Risk Endpoints
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
19 Lab 3: Incident Remediation and Workflow A13Copyright 2013 Symantec Corporation. All rights reserved.
A
The CISO has requested that you configure the system to provide quick access to his or her preferred reports. Additionally, you have been asked to make the new Enterprise Dashboard the first report displayed when the CISO logs into the system.
1 Access the Enforce system and logout as user ITSecurity and login as user CISO.
What are the first six report links displayed in the Incidents > Network section?
2 Configure Enterprise Dashboard as the default report for user CISO.
3 Configure the Reports Pane. Configure the list of Network report links displayed in the left pane of the Network Reports page to display only the following reports. These changes should take effect immediately. You may need to refresh to see the changes.
Exec. Summary - Network Policy Trend Protocol Trend
Exercise 4: Configuring a users reporting preferences
Enforce: Administrator:Training1
User name CISO
Password protect4
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
20 A14 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Aging Unres. Incidents.C
opyr
ight
2
013
Sym
ante
c C
orpo
ratio
n. A
ll rig
hts
rese
rved
.
CONFIDENTIAL - NOT FOR DISTRIBUTION
21 Lab 3: Incident Remediation and Workflow A15Copyright 2013 Symantec Corporation. All rights reserved.
A
ACME has established a three-tier Incident Response strategy using the following three roles: First Responder > Customer Data Responder > Investigation.
The First Responder role has been established to examine new PCI and PII customer incidents. This role has been instructed to escalate all incidents that appear to be valid (example, credit card numbers, government identification numbers, and so on). The First Responder role is entitled to only view and remediate incidents where the Status = New or In-Process. Additionally, this role has restricted visibility to incident data to safeguard employee privacy.
Once the incident has been escalated, the Customer Data Responder then reviews the incident in the next exercise.
1 Logout as CISO and log in as user ISR who is a member of the First Responder role.
2 Review the Incident List report My In-Process report.
How many incidents are currently in the In-Process status?
What severities are these incidents?
Which policies did these incidents violate?
3 Review the Incident Snapshot report for incident ID 00000049.
What type of protocol was used to deliver the message that created this incident?
Exercise 5: Incident Response: First Responder role escalates incidents
User name ISR
Password protect4
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
22 A16 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Review the match highlighting. Does this incident appear to contain a valid violation? If so, where was it found in the message (header, body, or attachment?) What type of data was found?
Which policies did this one message violate? How many rules did this message violate for the first policy? If more than one policy, how many incidents did this one (1) message generate? Review any additional incidents using the go to incident links.
Review the match highlighting of the additional incident. Does this incident appear to contain a valid violation? If so, what type of data was found in the message? How many rules did it violate for this policy?
4 Select the Correlations tab and review Correlations for incident ID 00000049.
How many times has this subject appeared in an incident?
How many times has the Payment Card Industry Data Security Standard policy been violated?
5 Review all the incidents with a related subject.
6 Escalate multiple incidents at one time using Set Status.
Review the subjects of the incident list that ISR can now see. These all appear to be related. Assume that ISR has reviewed each to determine that they all contain credit card numbers or social security numbers.
Use the Set Status: Escalated to move them to the next step in the workflow and remove them from ISRs work queues.
The status of all eight (8) incidents are changed to Escalated. The incidents are escalated to the next step in the workflow process for further review by the Customer Data Responder role in the next exercise.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
23 Lab 3: Incident Remediation and Workflow A17Copyright 2013 Symantec Corporation. All rights reserved.
A
The Customer Data Responder role has been established to review incidents where Status = Escalated and the policy group = Customer Data or General. This role has been instructed to escalate, or resolve incidents using Smart Responses as follows:
Notify Manager and Resolve: Resolve incidents by scheduling data security training when the employee requires education to avoid further violations. Status = Resolved, Reason = Schedule Data Security Training.
Escalate BU: Escalate incidents to engage Business Unit when a potential broken business process is identified. Status = Escalated, Reason = Engage BU to fix Broken Business Process
Resolve BU: Resolve incidents when Business Unit is actively addressing broken business process. Status = Resolved, Reason = BU Addressing Broken Business Process
Launch Investigations: Escalate incidents that appear to be malicious. Status = Investigations.
1 Log out as ISR and log in as user CSR who is a member of the Customer Data Responder role.
2 Navigate to Incidents > Network > Incidents - All.
3 Review the Incident Snapshot report for incident ID 00000055.
Does this incident appear to be malicious?
What do the Sender and Recipient values imply? Who is recipient [email protected]?
Reviewing the Message Body section, what mistake did the sender [email protected] make that caused this incident? How could he have avoided an incident (and potentially all the subsequent incidents)?
Exercise 6: Incident Response: Customer Data Responder using Smart Response to escalate or resolve
User name CSR
Password protect4
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
24 A18 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Using the Attributes pane, which Business Unit does sender jcolby report to?
4 Using the Correlations tab, navigate to all incidents that contain the same Subject.
Note: Correlations identify all messages that contain the same Subject line words. This includes all Forwards, Replies, and messages where new words have been appended or pre-pended in the Subject line.
5 Assume that the CSR has reviewed these incidents and determined that they are to be resolved by scheduling education for the senders.
Use the Smart Response: Notify MGR and Resolve to resolve all Incidents. Take a few moments to review the Smart Response Actions that occur before confirming.
6 Review the History within the Incident Snapshot.
Did the system successfully send notifications to the manager and helpdesk?
7 Review the notification sent to the managers and Helpdesks e-mail addresses. Log on to Thunderbird to review the first notification sent to manager Zoe Jones from [email protected] with the Payment Card Industry Data Security Standard violation subject.
8 Resolve incidents (ID 00000060 and 00000061) using Smart Response: Launch Investigation.
Select Saved Report Escalated Year-to-Date to return to CSRs escalated incident work queue.
To review the Incident Snapshot report for incident ID 00000061:
Does this incident appear to be malicious?
What do the Sender and Recipient values imply?
Which Policies does this message violate?
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
25 Lab 3: Incident Remediation and Workflow A19Copyright 2013 Symantec Corporation. All rights reserved.
A
What does the match highlighting reveal? Reviewing questions and answers for Q2, Q3, and Q4, what can you ask yourself about this employees actions?
a Review the Correlations tab.
How many incidents has sender [email protected] generated?
How many incidents have been sent to the recipient [email protected]?
9 Using Correlations, navigate to all seven (7) incidents that recipient [email protected] received.
10 Assume that the CSR has reviewed these incidents and determined that they must all be investigated. Notice that the senders are violating the Encrypted Data policy and the PCI Compliance policy.
Use the Smart Response: Launch Investigation to resolve all seven incidents. Take a few moments to review the Smart Response Actions that occur before confirming.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
26 A20 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs Investigation Team needs to be able to review incidents offline when engaged in an investigation. You have been asked to export all incidents where status = Investigation to html format for offline viewing.
1 Logout as CSR and log in as user ITSecurity as role SysAdmin.
2 Create a new Network report: Investigations Till Date and save this report.
Filtered by:
3 Create a new Web Archive: Investigations.
4 Review incidents offline for the Web Archive: Investigations.
Navigate to the Enforce Server file system C:/Vontu/Protect/archive/Investigations
Review Incident ID 00000056.
Exercise 7: Web Archive
User name SysAdmin\ITSecurity
Password protect4
Report Name: Investigations Till Date
Description: Incidents under Investigation
Status: Investigation
Date: All Dates
Archive Name: Investigations
Report to Export: Investigations Till Date
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
27 Lab 3: Incident Remediation and Workflow A21Copyright 2013 Symantec Corporation. All rights reserved.
A
ACMEs Investigation Team needs to be able to review incidents offline when engaged in an investigation, but would like to do so now in XML format. Export the report created for the previous exercise in XML format.
1 Continuing on the ITSecurity account, export the Investigations Till Date report to XML and review the results.
Exercise 8: Export incidents using XML export
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
28 A22 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs IT team needs to configure user risk summary to identify high risk users.
1 Add a CSV user data source. Use the User_List.csv file located in the C:\SDLP\Lesson_03\Lab_09_01_CSV folder.
2 Verify the imported user list.
3 View the user risk summary report.
4 Click Logout.
Exercise 9: User risk summary
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
29 Lab 4: Policy Management A23Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 4: Policy ManagementThe purpose of this lab is to reinforce your working knowledge of Policy Management. In this lab, you create a policy group, create a customer data policy, create a custom (blank) policy, create a policy based on a template, and export and import a policy.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
30 A24 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
1 Open a browser to the Enforce UI and login using the following credentials:
2 Add a new policy group.
Exercise 1: Creating a policy group
Enforce: Administrator:Training1
User name Administrator
Password protect4
Name: Test Policy Group
Description: Used for testing purposes
Servers: All
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
31 Lab 4: Policy Management A25Copyright 2013 Symantec Corporation. All rights reserved.
A
ACME needs to create a customer data policy to detect US Social Security Number violations.
1 Open a browser and login as the Administrator user.
2 Create a new policy.
3 Under Detection tab, add a new rule.
Exercise 2: Create a customer data policy
Enforce: Administrator:Training1
User name Administrator
Password protect4
Name: ACME Protect Customer Data
Description: optional
Policy Group: Customer Data Group
Rule: Content Matches DataIdentifier: US Social Security Number (SSN)
Rule name: SSN Data Identifier
Severity: Medium
Breadth: Medium
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
32 A26 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
1 Add a new blank policy.
2 Add a keyword rule.
3 On the Enforce system, copy the Lab4test.eml file from the c:\SDLP\Lesson_04\Lab_04-02_Keyword\ folder location and paste it into the c:\drop folder.
Note: Do not drag and drop file to the folder.
4 Watch the drop folder consume the file or navigate to c:\Vontu\Protect\incidents. The incident moves quickly in and out of this folder.
5 View the incident in Enforce.
Exercise 3: Creating a custom (blank) policy
Enforce: Administrator:Training1
Policy Name: E-mail Test Policy
Description: Testing e-mail messages with drop folder
Policy Group: Test Policy Group
Rule name Looking for company name
Keywords Symantec Corporation
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
33 Lab 4: Policy Management A27Copyright 2013 Symantec Corporation. All rights reserved.
A
ACMEs Development team is interested in protecting their design documents. They use the Design Documents Policy Template to detect CAD/CAM drawing files.
1 Add a policy from a template.
2 Test the policy with the LatestLoadCellDesign.eml file from the c:\SDLP\Lesson_04\Lab_04-03_Policy\ folder location.
Note: When using the C:\drop folder, the system refers to the date/time stamp from when the .eml was saved, not when it was copied to the C:\drop folder. This process can make it difficult to view the most recent incidents because the default sort for incident lists is by date.
TIP: To see the most recent incidents, sort by ID because each new incidents ID number is increased by one from the previous incident.
Exercise 4: Create a policy based on a template
Template: Design Documents
Name (Change the Name): ACME Design Docs
Description: Protect ACME design docs
Policy Group: Test Policy Group
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
34 A28 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME wishes to export a policy they have created and tested from their test environment and import it into their production environment.
1 Export the Hardware Pricing Protection policy.
2 Import the recently exported policy template, Hardware Pricing Protection.
Note: For demonstration purposes, in class only, you export and import in the same environment.
Exercise 5: Export/Import policy templates
Enforce: Administrator:Training1
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
35 Lab 5: Response Rule Management A29Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 5: Response Rule ManagementThe purpose of this lab is to reinforce your working knowledge of Response Rules. In this lab you create an automated response rule and a smart response rule.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
36 A30 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME has stated they would like to define consistent response rules for high, medium, and low severity incidents within their company.
1 Open a browser to the Enforce UI and login using the following credentials:
2 Add a new High Severity Automated Response Rule.
Exercise 1: Create Automated Response Rules
Enforce: Administrator:Training1
User name Administrator
Password protect4
Rule Name: ACME High Severity Rule
Description: Notify Manager and InfoSec, Escalate
Conditions: Severity: High
Actions: All: Send Email Notification
check on Manager Email
Language: English
Subject: Please Read Policy Violation
Body: Insert Variables: Severity, Sender, Policy Name, Match Count, Subject
Actions: All: Set Status
Status = Escalated
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
37 Lab 5: Response Rule Management A31Copyright 2013 Symantec Corporation. All rights reserved.
A
3 Add a new Low Severity Automated Response Rule.
Rule Name: ACME Low Severity Rule
Description: Discard Original Message, Non-Violating Attachments and Resolve
Conditions: Severity: Low
Actions: All: Limit Incident Data Retention
Select Discard Original Message
Select Attachments with no Violations
Actions: All: Set Status
Status = Resolved
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
38 A32 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
1 Add a new Smart Response Rule.
Exercise 2: Create a Smart Response Rule
Rule Name: ACME Training Response
Description: Resolved with Employee Education
Conditions: (N/A always manually execute)
Actions: All: Add Note: Conducted Training
Actions: All: Set Status: Resolved Education
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
39 Lab 6: Described Content Matching A33Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 6: Described Content MatchingThe purpose of this lab is to reinforce your working knowledge of the Described Content Matching (DCM) detection method. In this lab, you create policies that include DCM rules and then capture incidents with those policies.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
40 A34 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs Marketing team is developing a new product with code name acmeflash. They are co-developing this with an outside agency. Marketing is in the very early stages of developing their product (product name, terms, marketing collateral, and so on). The team needs to protect their work-in-progress documents. They have agreed to preface all document names with blackprogram- and send them only to [email protected]. They would like to monitor to ensure that no one is sending information regarding code name acmeflash or has found their documents and sent them.
1 Verify that all policies are suspended.
2 Add a new blank policy.
3 Under Detection tab, add a Content Matches Keyword rule.
4 Under Groups Tab, add Recipient Matches Pattern exception.
Exercise 1: Create a DCM Policy
Enforce: Administrator:Training1
Policy Name: Black Program
Description: New Product Launch Data
Policy Group: Test Policy Group
Rule name New Product Code Name
Keywords acmeflash
Exception name Trusted Partner Exception
Conditions
Recipient Pattern [email protected]
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
41 Lab 6: Described Content Matching A35Copyright 2013 Symantec Corporation. All rights reserved.
A
5 Add a compound condition to this exception.
6 Access the Enforce system and place the three .emls in the C:\SDLP\Lesson_06\Lab_06-01_DCM directory into the C:\drop folder and view the Expected Results as indicated in the Enforce UI.
7 Make sure all policies are suspended.
Also Match Message Attachment or File Name Match
Conditions
File Name blackprogram-*.*
File Name Result
NO-MATCH - Project kickoff.eml No Match - No incident created.
MATCH - FileType-Changed.eml Match - Does create an incident.
MATCH - Product Launch TXT Match - Does create an incident.
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
42 A36 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
During the baseline period, ACME is interested in understanding the formats of Social Security Numbers that are sent by different employees or automated processes. To do this, they test the US Social Security Number Data Identifier. This helps them understand the different results (False Positives and catch rate) between DI breadths (wide, medium, narrow).
1 Add a blank policy.
2 Under the Detection tab, add a Content Matches Data Identifier rule.
3 Under the Detection tab, add a Content Matches Data Identifier rule.
4 Under the Detection tab, add a Content Matches Data Identifier rule.
Exercise 2: Create a DCM Policy (Data Identifiers)
Enforce: Administrator:Training1
Name: SSNs all breadths
Description: Test SSN DI
Policy Group: Test Policy Group
Select US Social Security Number (SSN)
Rule Name Wide breadth
Conditions/breadth Wide
Select US Social Security Number (SSN)
Rule Name Medium breadth
Conditions/breadth Medium
Select US Social Security Number (SSN)
Rule Name Narrow breadth
Conditions/breadth Narrow
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
43 Lab 6: Described Content Matching A37Copyright 2013 Symantec Corporation. All rights reserved.
A
5 Access the Enforce system and place the .eml files in the C:\SDLP\Lesson_06\Lab_06-02_SSN_DI directory into the C:\drop folder and view the expected results as indicated.
6 Make sure all policies are suspended.
File Name: MATCH-SSN-DI.emlSubject: Here is the list of SSNs
Breadth Match Count
Wide 2
Medium 2
Narrow 2
File Name: NO-Narrow-Match-SSN-DI.emlSubject: SSNs for you to try in your app
Breadth Match Count
Wide 2
Medium 2
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
44 A38 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs Compliance team needs to ensure that ACME is compliant with PCI standards. They want to use the Symantec Payment Card Industry Data Security Standard Policy Template to detect valid credit card numbers and or credit card magnetic stripe data.
1 Add a policy from a template.
2 Access the Enforce system and place the .emls in the C:\SDLP\Lesson_06\Lab_06-03_PCI directory into the C:\drop folder and view the expected results in the Enforce UI as indicated.
Why does the last .eml named NO MATCH CC numbers not produce an incident?
How could you revise the policy to catch that message?
Exercise 3: Creating a DCM Policy from the PCI Template
Enforce: Administrator:Training1
Template: Payment Card Industry Data Security Standard
Name (Change the Name): ACME PCI
Description: PCI (CC# and Mag Stripe data)
Policy Group: Test Policy Group
File Name Result
MATCH-CCnumbers.emlSubject: MATCH-Here are the good numbers I told you about
Match - Should create an incident with three match counts.
MATCH-Mag Stripe Data.emlSubject: MATCH-hope you like this info
Match - Should create an incident with four match counts.
NO MATCH-CCnumbers.emlSubject: NO MATCH-Here are the good numbers I told you about
No Match - Does not create an incident the first time. Creates an incident with three match counts after revising the policy.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
45 Lab 6: Described Content Matching A39Copyright 2013 Symantec Corporation. All rights reserved.
A
3 Revise the policy to capture the .eml named NO MATCH CCnumbers.eml.
4 Access the Enforce system and copy the NO MATCH-CCnumbers.eml file from the C:\SDLP\Lesson_06\Lab_06-03_PCI directory into the C:\drop folder again. You should catch it this time.
5 Make sure all policies are suspended.
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
46 A40 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
47 Lab 7: Exact Data Matching and Directory Group Matching A41Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 7: Exact Data Matching and Directory Group MatchingThe purpose of this lab is to reinforce your working knowledge of the Exact data matching (EDM) detection method. In this lab, you create policies that include EDM rules and then capture incidents with those policies. As part of this process, you create EDM indexes, including an EDM index for use in a DGM rule.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
48 A42 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
To ensure that ACME companys high net worth customers are not disclosed to unauthorized recipients, the InfoSec team is charged with setting up monitoring policies to protect this data. ACME requires the highest degree of accuracy to eliminate false positives. This lets ACME remediate incidents without adding headcount and it gives them the confidence to block these violations during Phase II of their Symantec Data Loss Prevention deployment. ACMEs project team has elected to protect the Customer Data File. ACME also requires that they do not monitor the communications of their employees located in France or Switzerland. To accomplish this, the InfoSec team creates an Exact Data Profile to match senders from the Employee Directory based on their country of residence. ACME has created extracts for both files to be used as Exact Data Profiles in Symantec Data Loss Prevention.
1 Create an Exact Data Profile.
Exercise 1: Creating an EDM Index
Enforce: Administrator:Training1
Name: ACME Customer Data
Data Source: Upload Data Source to Server Now c:\SDLP\Lesson_07\Lab_07-01_EDM_Index\CustomerDataExtractLarge0213.dat
Column Names: Select the following:
Read first row as column names
Select
Error Threshold: 5%
Column Separator: Tab ()
File Encoding: ISO-8859-1(Latin-1)
Submit Indexing Job on Save:
Select
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
49 Lab 7: Exact Data Matching and Directory Group Matching A43Copyright 2013 Symantec Corporation. All rights reserved.
A
ACME requires that outbound communications from employees living in either France or Switzerland not be monitored. ACME wants to use Directory Group Match detection to accomplish this. The InfoSec Group must first create an Exact Data Profile.
Note: Directory Group Match requires that you first create an EDM index.
1 Create an Exact Data Profile.
Exercise 2: Creating an EDM Index for a Directory Group Match
Name: Employee Data and Directory
Data Source: Upload Data Source to Server Now -c:\SDLP\Lesson_07\Lab_07-02_EDM_for_DGM\HRDirectory.csv
Column Names: Select the following:
Error Threshold: 5%
Column Separator: Comma (,)
File Encoding: ISO-8859-1(Latin-1)
Field Mappings: Data Source Field Email, System Field Email
Submit Indexing Job on Save
Selected
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
50 A44 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Previously, the InfoSec team created an EDM index (referenced in the ACME Customer Data exact data profile). This index is based on the ACME customer data extract. To protect customer data, the InfoSec team decides to create a new Symantec Data Loss Prevent policy using the ACME Customer Data exact data profile.
The team also knows they need to update the index regularly with new customer data that gets into the ACME customer database, and that in between these comprehensive re-indexings, one suggested practice is to include a Data Identifier in the policy to catch unindexed new customer data. Therefore, they plan to include the US Social Security Number Data Identifier in this same policy.
1 Make sure ACME Protect Customer Data policy is enabled.
2 Click ACME Protect Customer Data policy for editing.
3 Under the Detection tab, add a new rule.
4 Access the Enforce system and place the .eml files in the c:\SDLP\Lesson_07\Lab_07-03_EDM\ folder into the C:\drop folder and view the expected results in the Enforce UI as indicated.
Exercise 3: Using EDM in a Policy
Rule: Content Matches Exact Data From: ACME Customer Data
Rule name: ACME Customer EDM Data
Conditions
Match: 3 of the selected fields
Select: Social Security Number, First Name, Last Name, Email Address, Credit Card
Excluded Combinations:
First Name, Last Name, Email Address
File Name Result
High Customer Data to include in report this weekend Hidden Cells.eml
Match - One Incident 167 Match count.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
51 Lab 7: Exact Data Matching and Directory Group Matching A45Copyright 2013 Symantec Corporation. All rights reserved.
A
ACMEs Incident Response Team (IRT) requires the ability to set thresholds to help determine the violations that warrant immediate attention as well as the ability to have the system automatically escalate higher risk violations. The ability to set SEVERITY thresholds helps lower the Total Cost of Ownership (TCO) for ACME.
1 Select policy: ACME Protect Customer Data.
2 Edit rule: ACME Customer EDM Data.
3 Change Default Severity to Low, and add two new Severities (Med, High).
Exercise 4: Using Severity in a Policy
Enforce: Administrator:Training1
Medium: Greater than or Equals 2
High: Greater than or Equals 15
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
52 A46 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME ACMEs HR and Compliance teams currently require that the company only monitor the outbound communications of US, UK and APAC based employees. All other employees are currently exempt from monitoring. This is accomplished by adding compound rule to the Protect Customer Data policy. The additional and condition uses a Directory Group Match to identify the employees country of residence.
1 Access the Enforce system and place the .eml files in the c:\SDLP\Lesson_07\Lab_07-04_DGM\ folder into the C:\drop folder now. Verify that each .eml has created an incident before adding the DGM exception to the policy.
2 Add an exception to the ACME Protect Customer Data policy.
3 Before dropping the .emls again, review the Incident List and make note of your newest Incident ID (sort by ID). This aids you in reviewing the results.
Exercise 5: Using DGM in a Policy
Enforce: Administrator:Training1
Sender/User Matches Directory From: Employee Data and Directory
Exception Name: Country Exception
Where: Country
Is Any Of: France, Switzerland
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
53 Lab 7: Exact Data Matching and Directory Group Matching A47Copyright 2013 Symantec Corporation. All rights reserved.
A
4 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_07\Lab_07-04_DGM folder into the C:\drop folder again and view the expected results as indicated in the following table.
File Name Result
US-UK-APAC.eml Creates an incident (167 match count) before and after you add the DGM exception to the policy.
France.eml Creates an incident the first time, but does not create an incident after you add the DGM exception.
Switzerland.eml Creates an incident the first time, but does not create an incident after you add the DGM exception.
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
54 A48 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
55 Lab 8: Indexed Document Matching A49Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 8: Indexed Document MatchingThe purpose of this lab is to reinforce your working knowledge of the Indexed Document Matching (IDM) detection methods. In this lab, you create policies that include IDM rules and then capture incidents with those policies. As part of this process, you create IDM indexes.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
56 A50 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME has built its business by acquisition and expects to continue with that strategy. The project team wants to establish a strategy and policy to protect sensitive data with respect to Mergers and Acquisitions. The InfoSec team protects the sensitive data using Indexed Document Matching.
1 Verify that all policies are suspended.
2 Create a Document Profile.
Exercise 1: Create an IDM Index
Enforce: Administrator:Training1
Name: ACME Mergers Documents
Document Source: Upload Document Archive to Server Now - c:\SDLP\Lesson_08\Lab_08-01_IDM_Index\Mergers Highly Sensitive Docs.zip
Submit Indexing Job on Save:
Select
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
57 Lab 8: Indexed Document Matching A51Copyright 2013 Symantec Corporation. All rights reserved.
A
ACMEs CFO and Legal Council are concerned about protecting data regarding Mergers and Acquisitions. The InfoSec team has already created the Indexed Document Profile earlier. They have decided to modify the Mergers and Acquisition Datas policy that was delivered in the Solution.
1 Verify that the ACME Protect Customer Data policy is suspended.
2 Activate and open the Merger and Acquisition Agreements policy.
3 Under the Detection tab, add a rule.
4 Assign the policy to the Corporate Financial Data Group policy group.
5 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_08\Lab_08-02_IDM folder into the C:\drop folder again and view the expected results as indicated in the following table.
Exercise 2: Using IDM in a Policy
Content Matches Document Signature from:
ACME Mergers Documents
Rule Name: Protect Merger Docs
Minimum Document Exposure: 30%
File Name Result
50% Paste in other doc.eml An incident is created. (one match count, matching 70% of one of the indexed documents).
10% in body.eml No incident created.
Early QFinancials.eml No incident created.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
58 A52 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs finance department wants to ensure its quarterly earnings reports are not distributed to unauthorized viewers before public release. The quarterly earnings report contains specific financial information and data that must be protected.
Often, customers refresh the Index Document Profile (IDP) on a schedule (daily, weekly, monthly, and so on) and place the documents used to create the IDP in a predefined secure file share. ACME uses this location to instruct Symantec Data Loss Prevention to find the appropriate documents to index, after the pre-release financials are indexed. The ACME InfoSec team creates a new policy to protect this data.
1 Suspend the Merger and Acquisition Documents policy.
2 Create a new Indexed Document Profile called ACME Quarterly Financials to protect the pre-release quarterly financials that the finance team saves to the secure file share \\Enforce\Private-Finance.
Note: Consider the following: Do you have all the information you need? If not, what do you need to complete this task?
3 Create a policy to detect pre-release Quarterly Financials.
4 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_08\Lab_08-03_Index_Scheduling folder into
Exercise 3: Policy Management - Scheduling IDM Indexings
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
59 Lab 8: Indexed Document Matching A53Copyright 2013 Symantec Corporation. All rights reserved.
A
the C:\drop folder again and view the expected results as indicated in the following table.
File Name Result
50% Paste in other doc.eml No incident created for this policy.
10% in body.eml No incident created for this policy.
Early QFinancials.eml One incident created for this policy.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
60 A54 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Add the three response rules you created in an earlier exercise to the ACME Protect Customer Data policy.
1 Suspend the ACME Protect Financial Data policy.
2 Activate and edit a policy to include three response rules.
3 Access the Enforce system and place the .eml files from the C:\SDLP\Lesson_08\Lab_08-04_Response folder into the C:\drop folder and view the expected results as indicated in the following table.
Exercise 4: Adding automated responses to a policy
Enforce: Administrator:Training1
Name: ACME Protect Customer Data
Response Rules: ACME High Severity Rule
ACME Med Severity Rule
ACME Low Severity Rule
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
61 Lab 8: Indexed Document Matching A55Copyright 2013 Symantec Corporation. All rights reserved.
A
4 If any of the .emls did not create an incident, why not? (Hint: Are there any exceptions?) Fix the problem (and retest the .eml files).
5 Access the Enforce system and place the .eml files from the C:\SDLP\Lesson_08\Lab_08-04_Response folder into the
File Name Result
PCI data - from Switzerland.eml HIGH - A high-severity incident (167 match count) is created against this policy after you remove the exception from the policy.
Review Customer over weekend - Hidden Cells.eml
No incident is created. This is because the names and Social Security Numbers in this e-mail do not match the data in the EDM index.
Customer-Data.eml HIGH - A high-severity incident (167 match count) is created.
Account Data for testing programs.eml Med - A medium-severity incident (13 match count) is created against this policy after you remove the exception from the policy.
Here is the customers information attached with directions.eml
Low - A low-severity incident is created (1 match count).
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
62 A56 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
C:\drop folder again and view the expected results as indicated in the following table.
File Name Result
PCI data - from Switzerland.eml HIGH - A high-severity incident (167 match count) is created against this policy after you remove the exception from the policy.
Review Customer over weekend - Hidden Cells.eml
No incident is created. This is because the names and Social Security Numbers in this e-mail do not match the data in the EDM index.
Customer-Data.eml HIGH - A high-severity incident (167 match count) is created.
Account Data for testing programs.eml Med - A medium-severity incident (13 match count) is created against this policy after you remove the exception from the policy.
Here is the customers information attached with directions.eml
Low - A low-severity incident is created (1 match count).
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
63 Lab 8: Indexed Document Matching A57Copyright 2013 Symantec Corporation. All rights reserved.
A
Locate the medium-severity incident captured in the last exercise and execute the Smart Response you created previously.
1 Locate the medium-severity incident captured in the last exercise.
2 Execute the ACME Training Response Smart Response Rule.
3 In the Incident Snapshot, review the incident History and Notes tabs.
RESULTS
The History section in the Incident Snapshot indicates that the status was changed to Resolved Education and the note Conducted Training has been added.
4 Suspend the ACME Protect Customer Data policy.
Exercise 5: Executing a Smart Response to an incident
Enforce: Administrator:Training1
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
64 A58 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
65 Lab 9: Vector Machine Learning A59Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 9: Vector Machine LearningThe purpose of this lab is to reinforce your working knowledge of the Vector Maching Learning (VML) detection method. In this lab, you create a policy that include VML similarity scores, and then capture incidents with that policy. As part of this process, you import positive and negative documents for the VML traning process.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
66 A60 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME IT team needs to configure Vector Machine Learning data profile to protect source code written in Java.
1 Create Vector Machine Learning profile.
2 Create a policy that uses the ACME Source Code VML profile.
3 Access the Enforce system and place the Java module files.eml file from the C:\SDLP\Lesson_09\Lab_09-01_VML folder into the C:\drop folder.
4 Review the new incident snapshot.
5 Suspend the ACME Source Code VML policy.
Exercise 1: Configure Vector Machine Learning
Enforce: Administrator:train
Profile Name ACME Source Code VML
Positive set VML_Positive.zip
Negative set VML_Negative.zip
Similarity Threshold 0
Policy/Rule Name ACME Source Code VML
Policy Group Default Policy Group
VML Profile ACME Source Code VML
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
67 Lab 10: Network Monitor Review A61Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 10: Network Monitor ReviewThe purpose of this lab is to reinforce your working knowledge of IP and Layer 7 filters used by the system. In this lab you become familiar with the syntax used for creating IP and L7 filters within the UI and apply them to the system.
Lab setupThe IP Filtering lab is a paper lab. No virtual machine images are used. Use virtual machine images for the L7 Filters lab.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
68 A62 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME Company wants to monitor (include) all the outbound traffic from the 10.1.0.0/16 subnet except for the traffic from an internal Web server at 10.1.1.5. Additionally, ACME only wants to monitor outbound traffic.
1 Create an IP filter that can do this.
2 Based on the IP filter that you created in step 1, what happens to outgoing traffic from 10.1.1.5?
3 What happens to outgoing traffic from 10.1.1.9?
4 What happens to incoming traffic from 23.127.39.90?
Exercise 1: IP Filtering (Part 1)
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
69 Lab 10: Network Monitor Review A63Copyright 2013 Symantec Corporation. All rights reserved.
A
ACME Company wants to filter out traffic internal within subnet as they have not placed Symantec Data Loss Prevention at the exit point for the network. ACME does not want to monitor any internal traffic that is routed within the 10.1.0.0/16 subnet, only that traffic destined for the internet. ACME does not want to monitor inbound traffic.
HINT: Keep traffic from 10.1.0.0/16 that is headed out of the network and exclude all other traffic.
1 Create an IP filter to do this.
2 Based on the IP filter that you created in step 1, what happens to internal traffic with a destination IP of 10.1.1.9?
3 What happens to incoming traffic with a source IP of 23.127.39.90?
Exercise 2: IP Filtering (Part 2)C
opyr
ight
2
013
Sym
ante
c C
orpo
ratio
n. A
ll rig
hts
rese
rved
.
CONFIDENTIAL - NOT FOR DISTRIBUTION
70 A64 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME Company wants to monitor all outbound traffic except traffic destined for a trusted partner. ACME does not want to monitor inbound traffic.
1 Create an IP filter to do this.
2 Based on the IP filter that you created in step 1, what happens to outgoing traffic with a destination IP of 64.62.39.90?
3 What happens to outgoing traffic with a source IP of 10.1.1.9?
Exercise 3: IP Filtering (Part 3)C
opyr
ight
2
013
Sym
ante
c C
orpo
ratio
n. A
ll rig
hts
rese
rved
.
CONFIDENTIAL - NOT FOR DISTRIBUTION
71 Lab 10: Network Monitor Review A65Copyright 2013 Symantec Corporation. All rights reserved.
A
In this lab you apply L7 filters locally at the Enforce server level.
1 Activate E-mail Test Policy.
2 Edit E-mail Test Policy by adding L7 as a keyword in the existing rule.
3 Edit the L7 Recipient Filter in the SMTP protocol with the following: [email protected].
4 Save and recycle the detection server.
5 Copy and paste the c:\SDLP\Lesson_04\Lab_04-02_Keyword\lab4test.eml into the c:\drop folder.
Question: Should an incident be created? Why?
6 Using L7 filters only, write the filter(s) to do the following: Do NOT monitor the outbound SMTP traffic from [email protected] or [email protected].
7 Drop all the .eml files from the c:\SDLP\Lesson_10\Lab_10-02_L7_Filters folder into the c:\drop folder and review your results
Exercise 4: L7 Filters
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
72 A66 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
Question: How many incidents were created? Why might there be a discrepancy?
8 Clear all existing L7 Filters in the SMTP protocol.
9 Using L7 filters only, write the filters to do the following:
Monitor all outbound traffic sent from anyone with domain acme.com to all external domains. Do not monitor sub-domains of acme.com (for example, benefits.acme.com).
10 Drop all .eml files in the c:\SDLP\Lesson_10\Lab_10-02_L7_Filters folder into the c:\drop folder and review expected results.
Question: How many incidents were created? Why?
11 Clear all existing L7 Filters in the SMTP protocol
12 Recycle the detection server and suspend the Email Test Policy.
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
73 Lab 11: Network Prevent A67Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 11: Network PreventThe purpose of this lab is to reinforce your working knowledge of Network Prevent. In this lab, you configure Symantec Data Loss Prevention to block a confidential e-mail and to send notifications to the e-mail sender and his or her manager. You also configure Symantec to reroute an e-mail for downstream encryption.
Lab setupUse the Enforce and EndpointClient virtual machine images for this lab.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
74 A68 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs project team has elected to block certain high risk SMTP communications as part of their phased roll-out of Symantec Data Loss Prevention. After ensuring that their ACME Protect Customer Data policy is accurate, they have decided to block all SMTP messages that violate that policy.
Best Practice: Before turning on Network Prevent (Email), make sure all policies deploying SMTP Prevent response rules have been tested in your QA mail environment. This is to ensure policy accuracy and to confirm that offending SMTP messages are blocked or redirected and that non-offending messages can proceed normally through your mail chain. Symantec strongly recommends that, before turning on Network Prevent (Email), you notify your employees that their e-mail is being monitored and could be blocked.
1 Flip the server to Network Prevent (Email).
2 Verify that the ACME Protect Customer Data policy is enabled.
3 Create a new Automated Response Rule that blocks e-mail.
4 Add the new response rule to the ACME Protect Customer Data policy.
Exercise 1: Network Prevent Blocking an SMTP Message
Enforce: Administrator:Training1
Name: ACME Block SMTP Rule
Description: Notify Sender and Manager, Message Blocked.
Condition: Protocol or Endpoint Monitoring is any of SMTP
Action: Network Prevent: Block SMTP Message
Action: All: Send Email Notification (for sender)
Action: All: Send Email Notification (for senders manager)
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
75 Lab 11: Network Prevent A69Copyright 2013 Symantec Corporation. All rights reserved.
A
5 Send an ordinary e-mail that contains no confidential information. Open Mozilla Thunderbird. Send an email titled Hi, Larry from the Drafts folder.
6 Confirm that the e-mail went through to Larrys inbox. Switch to Larry Outsider inbox in Mozilla Thunderbird.
7 Send an e-mail containing confidential information.
a Sender: Joe User
b E-mail name: Customer Data to Include in Report this Weekend (Located in the Drafts folder of Mozilla Thunderbird on the Endpoint system).
8 Confirm that Network Prevent (Email) rerouted the confidential e-mail to IT Security (and did not send it to Larry). Switch to Larry Outsiders inbox.
9 Confirm that Jane Manager received a notification e-mail. Switch to Jane Managers inbox.
\
EndpointClient: Joe:Training1
Enforce: Administrator:Training1
EndpointClient: Joe:Training1
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
76 A70 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
10 Review the incident in the Enforce administration console.
11 After reviewing the incident, suspend the ACME Protect Customer Data policy.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
77 Lab 11: Network Prevent A71Copyright 2013 Symantec Corporation. All rights reserved.
A
ACMEs project team has elected to enforce encryption of all employee-related health information sent to their trusted benefits provider. ACME uses Symantec Encryption Management Server as their enterprise encryption tool. To enforce encryption, ACME configures Network Prevent (Email) to modify confidential e-mails by adding a header that the next-hop MTA recognizes as an instruction to redirect the message to Symantec Encryption Management Server. In this exercise, the particular header name is X-PGP-Redirect.
Note: This exercise asks you to configure the appropriate response rule, add it to a policy, and send a confidential e-mail. In the lab environment, Network Prevent (Email) adds a header (specified in the response rule) to the confidential e-mail, but the MTA does not forward the e-mail to an encryption gateway, as the lab environment does not include one. However, the resulting incident looks the same as if the e-mail had been redirected.
1 Create a new Automated Response rule.
2 Customize the HIPAA (including PHI) policy to include the Automated Response, and changes the data identifier detection condition SSN and Disease Keywords to medium breadth.
3 Send an e-mail containing confidential information.
Exercise 2: Network Prevent Enforce Encryption of an SMTP Message
Name: ACME Encrypt SMTP Rule
Description: Redirect Message to PGP-Encryption Gateway
Condition: Protocol or Endpoint Destination is any of SMTP
Action: Network Prevent: Modify SMTP Message
Header 1 Name: X-PGP-Redirect
Header 1 Value: Yes
EndpointClient: Joe:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
78 A72 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
4 Review the incident in the Enforce administration console.
5 Review the incident in the Enforce administration console. After reviewing the incident, suspend the HIPAA (including PHI) policy.
Enforce: Administrator:Training1
End of lab
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
79 Lab 13: Network Discover and Network Protect A73Copyright 2013 Symantec Corporation. All rights reserved.
A
Lab 13: Network Discover and Network ProtectThe purpose of this lab is to reinforce your working knowledge of Network Discover and Network Protect. In this lab, you create Discover Targets, configure filters, scan a File System, view actionable incident data, and quarantine sensitive files. After working with scans, you run reports, including a differential report based upon a differential scan.
Lab setupUse the Enforce virtual image for this lab.
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
80 A74 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACME is concerned that sensitive data may be wrongly exposed on corporate servers. They understand that Data at Rest is just one click away from being Data In Motion. To ensure that highly sensitive data is protected, the project team has asked the Information Security (InfoSec) team to look for Mergers and Acquisition data as well as pre-release financial data on the Private-Finance share and report if any such data is found.
This lab creates a Target utilizing the first of two methods for identifying shares, and run a scan that produces incidents. Afterward, another target is created using the second method, also running and creating incidents.
1 Activate the ACME Protect Financial Data and Merger and Acquisition Agreements policies if they are not already active.
2 Flip the server to Network Discover.
3 Add a Discover Target.
Type: Server File System
4 Configure the General Tab.
Name: ACME Scan for Financial Data Policy group: Corporate Financial Data Group Scan Type: Full Scan
Exercise 1: Scanning a File-System Target
Enforce: Administrator:Training1
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
81 Lab 13: Network Discover and Network Protect A75Copyright 2013 Symantec Corporation. All rights reserved.
A
5 Configure the Scanned Content Tab.
6 Start the Scan.
7 Review the scan results.
Scan Results First Scan Results:
Items Scanned = 54
Errors = 1
Incidents = 5
Why is there an error?
8 Open one of the downloadable reports.
9 View Incidents.
Default Username: Administrator
Default Password: Training1
Share File: c:\SDLP\Lesson_13\Lab_13-01_Sharelist\ACMEShareList.txt
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
82 A76 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
10 Create a new File System Target with an individual Share.
11 Start the scan and refresh until complete.
12 Review scan results.
Scan results Second Scan Results: Items Scanned = 1 Errors = 0 Incidents = 1
Incident Remediation Tracking
13 Note the incident number from step 12.
14 Click the ACME Private Financials scan.
15 Click the Advanced tab.
16 Verify that Item No Longer Exists is selected under the Remediation Detection Preferences section.
17 Click Cancel.
18 Move the Q3DeptEarnings.xls file from the C:\Private-Finance\Financial-Quarterly folder to the desktop.
19 Start the ACME Private Financials scan and refresh until complete.
Type: Server File System
Name: ACME Private Financials
Policy Group: Corporate Financial Data Group
Default Username: Administrator
Default Password: Training1
UNC Path: \\Enforce\Private-Finance
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
83 Lab 13: Network Discover and Network Protect A77Copyright 2013 Symantec Corporation. All rights reserved.
A
20 Navigate to Incidents > Discover > Incidents > New.
21 Locate and click the incident from step 12.
22 Notice the following new field under the Incident Details section:
23 Copy the Q3DeptEarnings.xls file from the desktop to the C:\Private-Finance\Financial-Quarterly folder.
Name Description
Remediation Detection Status Item No Longer Exists
Cop
yrig
ht
201
3 S
yman
tec
Cor
pora
tion.
All
right
s re
serv
ed.
CONFIDENTIAL - NOT FOR DISTRIBUTION
84 A78 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.
ACMEs InfoSec team is preparing to scan terabytes of information looking for confidential financial information. To reduce the amount of unnecessary data to be scanned, they add filters to their Discover Target. In this exercise, we combine the two scans from the previous exercise. To do this, we update the first targets sharelist with the individual share from the second target.
1 Add a single share to the Sharelist.
Add \\Enforce\Private-Finance to ACMEShareList.txt (located at c:\Vontu\Protect\sharelists\)
2 Edit File System Target.
3 Start the Scan and refresh until Completed.
4 Review the scan results, incidents, and note filtered files in detail.
Scan results: Items Scanned = 42 Errors = 1 Incidents = 6
Exercise 2: Using Filters
Enforce: Administrator:Train